Postfix: Difference between revisions
(42 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
touch transport | touch transport | ||
touch aliases | touch aliases | ||
touch sender_whitelist | |||
postmap aliases | postmap aliases | ||
postmap virtual | postmap virtual | ||
postmap transport | postmap transport | ||
postmap sender_whitelist | |||
</pre> | </pre> | ||
This goes in some of the files: | This goes in some of the files: | ||
== /etc/postfix/virtual == | |||
<pre> | <pre> | ||
# In order to translate any mailbox address from one domain to a mapped user on another domain add the following entries: | # In order to translate any mailbox address from one domain to a mapped user on another domain add the following entries: | ||
Line 28: | Line 31: | ||
# Catchalls are set up with | # Catchalls are set up with | ||
# @domain.ext userid | # @domain.ext userid | ||
</pre> | |||
/etc/postfix/virtual-domains | == /etc/postfix/virtual-domains == | ||
<pre> | |||
# This file contains the domains for which postfix will accept email | # This file contains the domains for which postfix will accept email | ||
# It's not a hash file, so no need to run postmap on it. | # It's not a hash file, so no need to run postmap on it. | ||
</pre> | </pre> | ||
== /etc/postfix/transport == | |||
<pre> | |||
# This is the list of domains we will transport mail for over smtp, using different protocols. | |||
# This is a hashfile, so postmap transport after editing. | |||
</pre> | |||
== /etc/postfix/sender_whitelist == | |||
<pre> | |||
# don't forget to postmap sender_whitelist after editing, as it's a hash file | |||
# we are a relay for this host | |||
domoticz.edgarbv.int OK | |||
</pre> | |||
Make sure the following is appended to mynetworks in main.cf | Make sure the following is appended to mynetworks in main.cf | ||
<pre> | <pre> | ||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/ | mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24, 212.61.33.42/32, 31.160.12.64/29, 188.204.140.192/27, 217.81.192.88/32 | ||
</pre> | </pre> | ||
'''On the machine sending mail from the home network'' | |||
Also, because this machine is relaying from my home network (because port 25 traffic is blocked by my ISP), change in main.cf | |||
<pre> | <pre> | ||
# | relayhost = MY.IP.ADDRESS:587 | ||
</pre> | |||
(it was empty) | |||
== These are the /etc/postfix/main.cf edits == | |||
<pre> | |||
# My edits | |||
# Prevent backscatter | # Prevent backscatter | ||
local_recipient_maps = proxy:unix:passwd.byname $alias_maps | local_recipient_maps = proxy:unix:passwd.byname $alias_maps | ||
unverified_recipient_reject_code = 550 | unverified_recipient_reject_code = 550 | ||
unverified_sender_reject_code = 550 | unverified_sender_reject_code = 550 | ||
message_size_limit = 15000000 | message_size_limit = 15000000 | ||
Line 57: | Line 83: | ||
alias_database = hash:/etc/postfix/aliases | alias_database = hash:/etc/postfix/aliases | ||
virtual_mailbox_base = /var/spool/mail | virtual_mailbox_base = /var/spool/mail | ||
# Anti Spam measures | # Anti Spam measures (note the order is important!) | ||
smtpd_client_restrictions = permit_mynetworks, | |||
permit_sasl_authenticated, | |||
reject_rbl_client sbl.spamhaus.org, | |||
reject_rbl_client bl.spamcop.net, | |||
permit | |||
smtpd_helo_restrictions = permit_mynetworks, | |||
check_sender_access hash:/etc/postfix/sender_whitelist, | |||
reject_invalid_helo_hostname, | |||
permit | |||
smtpd_sender_restrictions = permit_mynetworks, | |||
check_sender_access hash:/etc/postfix/sender_whitelist, | |||
reject_non_fqdn_sender, | |||
reject_unknown_sender_domain, | |||
permit | |||
smtpd_data_restrictions = reject_unauth_pipelining, | |||
permit | |||
# This is the new style for after 2.10. Debian still has 2.9. They then get removed from smtpd_recipient_restrictions | |||
#smtpd_relay_restrictions = permit_mynetworks, | |||
# permit_sasl_authenticated, | |||
# reject_unauth_destination, | |||
# permit | |||
smtpd_relay_restrictions = permit_mynetworks, | |||
permit_sasl_authenticated, | |||
check_sender_access hash:/etc/postfix/sender_whitelist, | |||
reject_unauth_destination, | |||
reject_unknown_recipient_domain, | |||
reject_unlisted_recipient, | |||
reject_unverified_recipient, | |||
reject_non_fqdn_recipient, | |||
reject_unknown_sender_domain, | |||
reject_non_fqdn_hostname, | |||
reject_unauth_pipelining, | |||
reject_rbl_client zen.spamhaus.org, | |||
reject_rbl_client bl.spamcop.net, | |||
permit | |||
smtpd_recipient_restrictions = permit_mynetworks, | smtpd_recipient_restrictions = permit_mynetworks, | ||
check_sender_access hash:/etc/postfix/sender_whitelist, | |||
permit_sasl_authenticated, | |||
reject_unauth_destination, | reject_unauth_destination, | ||
reject_unknown_recipient_domain, | reject_unknown_recipient_domain, | ||
reject_unlisted_recipient, | reject_unlisted_recipient, | ||
reject_unverified_recipient, | reject_unverified_recipient, | ||
reject_non_fqdn_recipient, | reject_non_fqdn_recipient, | ||
reject_unknown_sender_domain, | |||
reject_non_fqdn_hostname, | reject_non_fqdn_hostname, | ||
reject_unauth_pipelining, | reject_unauth_pipelining, | ||
# spamhaus is only for non-commercial / low volume use | |||
reject_rbl_client zen.spamhaus.org, | reject_rbl_client zen.spamhaus.org, | ||
reject_rbl_client bl.spamcop.net, | reject_rbl_client bl.spamcop.net, | ||
permit | permit | ||
# you can test the above lines by putting warn_if_reject before a rule, eg "warn_if_reject reject_non_fqdn_hostname,", which puts up a warning in the logfiles, but allows the mail to go through anyway | |||
smtpd_helo_required = yes | smtpd_helo_required = yes | ||
disable_vrfy_command = yes | disable_vrfy_command = yes | ||
Line 118: | Line 166: | ||
<pre> | <pre> | ||
postconf -n | postconf -n | ||
or | |||
postconf -d | |||
</pre> | </pre> | ||
Line 135: | Line 185: | ||
DEFAULT="$HOME/Maildir/" | DEFAULT="$HOME/Maildir/" | ||
MAILDIR="$HOME/Maildir/" | MAILDIR="$HOME/Maildir/" | ||
</pre> | |||
Create everything | |||
<pre> | |||
mkdir /var/log/mail/ | |||
touch /var/log/mail/procmail | |||
</pre> | |||
=== Old procmail (non maildir) === | |||
vi /etc/procmailrc | |||
<pre> | |||
#Procmailrc modified by RazoR | |||
# | |||
MAILDIR=/var/spool/mail | |||
LOGFILE=/var/log/mail/procmail | |||
LOGABSTRACT=all | |||
VERBOSE=off | |||
LOG=$date | |||
</pre> | |||
Create everything | |||
<pre> | |||
mkdir /var/log/mail/ | |||
touch /var/log/mail/procmail | |||
</pre> | |||
== If you mount your mail (mbox format) == | |||
<pre> | |||
ln -s /home/spool/mail/ /var/mail | |||
</pre> | </pre> | ||
Line 141: | Line 220: | ||
Edit /etc/logrotate.d/rsyslog to add /var/log/mail/procmail to it | Edit /etc/logrotate.d/rsyslog to add /var/log/mail/procmail to it | ||
edit the mail lines in /etc/rsyslog.conf to go to /var/log/mail/ | edit the mail lines in /etc/rsyslog.conf to go to /var/log/mail/ something like: | ||
<pre> | |||
mail.info -/var/log/mail/mail.info | |||
mail.warn -/var/log/mail/mail.warn | |||
mail.err /var/log/mail/mail.err | |||
</pre> | |||
<pre> | <pre> | ||
mv /var/log/mail.* /var/log/mail/ | |||
service rsyslog restart | |||
</pre> | </pre> | ||
Line 177: | Line 260: | ||
sharedscripts | sharedscripts | ||
prerotate | prerotate | ||
/opt/ | /opt/myhost/statisticsmyhostmail.sh | ||
endscript | endscript | ||
rotate 7 | rotate 7 | ||
Line 191: | Line 274: | ||
endscript | endscript | ||
} | } | ||
</pre> | |||
=== If still using popa3d === | |||
<pre> | |||
touch /var/log/mail/popa3d.log | |||
</pre> | |||
'''FOR OLD SYSLOG BEHAVIOUR''' | |||
<pre> | |||
!popa3d | |||
*.* /var/log/mail/popa3d.log | |||
</pre> | |||
'''FOR RSYSLOG''' | |||
<pre> | |||
in /etc/rsyslog.d/popa3d.conf | |||
if $programname == 'popa3d' and $syslogseverity <= '6' then /var/log/mail/popa3d.log | |||
if $programname == 'popa3d' and $syslogseverity <= '6' then ~ | |||
</pre> | </pre> | ||
Line 208: | Line 310: | ||
set spoolfile="~/Maildir" | set spoolfile="~/Maildir" | ||
</pre> | </pre> | ||
= Authentication with sasl = | |||
This uses saslauthd as an authentication layer between pam and postfix smtpd services to check if the user is allowed to log in. There are methods to use dovecot as an authentication layer too, but I haven't gotten that to work. | |||
This one works so far: | |||
http://wiki.debian.org/PostfixAndSASL with more info at http://www.postfix.org/SASL_README.html | |||
Install libsasl2-modules, postfix, postfix-tls, sasl2-bin | |||
/etc/postfix/sasl/smtpd.conf | |||
<pre> | |||
pwcheck_method: saslauthd | |||
mech_list: PLAIN LOGIN | |||
</pre> | |||
/etc/default/saslauthd | |||
<pre> | |||
START=yes | |||
</pre> | |||
<pre> | |||
adduser postfix sasl | |||
</pre> | |||
/etc/fstab | |||
<pre> | |||
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind bind 0 0 | |||
</pre> | |||
<pre> | |||
cd /var/spool/postfix | |||
mkdir -p var/run/saslauthd | |||
mount /var/spool/postfix/var/run/saslauthd | |||
</pre> | |||
/etc/postfix/main.cf | |||
<pre> | |||
smtpd_sasl_local_domain = $myhostname | |||
smtpd_sasl_auth_enable = yes | |||
broken_sasl_auth_clients = yes | |||
</pre> | |||
also make sure that smtpd_recipient_restrictions includes | |||
<pre> | |||
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination | |||
</pre> | |||
== TLS == | |||
TLS is an encryption layer that runs on the submission port (587) waiting for people to log in. Make sure the firewall opens this port on UDP / TCP | |||
First you need to generate the key files for the fully qualified mailname / myhostname / hostname of the machine. You can have multiple key files, but only one per IP adress. | |||
=== Generating the certificate files === | |||
Get the certificate from Lets Encrypt | |||
<pre> | |||
certbot certonly -d mail.edgarbv.com | |||
</pre> | |||
choose apache. | |||
==== Depreciated ==== | |||
When filling in common name (CN) Always fill in your domain eg mail.edgarbv.com | |||
Generate a private key | |||
<pre> | |||
openssl genrsa -des3 -out mail.edgarbv.com.key 2048</pre> | |||
Create a certificate request | |||
<pre> | |||
openssl req -new -key mail.edgarbv.com.key -out mail.edgarbv.com.csr | |||
</pre> | |||
Self sign the key | |||
<pre> | |||
openssl x509 -req -days 365 -in mail.edgarbv.com.csr -signkey mail.edgarbv.com.key -out mail.edgarbv.com.crt | |||
</pre> | |||
remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix): | |||
<pre> | |||
openssl rsa -in mail.edgarbv.com.key -out mail.edgarbv.com.key.nopasscp mail.domain.tld.key mail.edgarbv.com.key.pass | |||
mv mail.domain.tld.key.nopass mail.edgarbv.com.key | |||
</pre> | |||
Make ourself a trusted CA: | |||
<pre> | |||
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 | |||
</pre> | |||
Copy the files into a proper location: | |||
<pre> | |||
chmod 600 mail.edgarbv.com.key | |||
chmod 600 cakey.pem | |||
mv mail.edgarbv.com.key /etc/ssl/private/ | |||
mv mail.edgarbv.com.crt /etc/ssl/certs/ | |||
mv cakey.pem /etc/ssl/private/ | |||
mv cacert.pem /etc/ssl/certs/ | |||
</pre> | |||
=== /etc/postfix/main.cf === | |||
<pre> | |||
# TLS parameters | |||
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.edgarbv.com/fullchain.pem | |||
smtpd_tls_key_file = /etc/letsencrypt/live/mail.edgarbv.com/privkey.pem | |||
smtpd_use_tls = yes | |||
smtpd_tls_security_level = may | |||
smtpd_tls_loglevel = 2 | |||
smtpd_tls_received_header = yes | |||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache | |||
smtp_tls_note_starttls_offer = yes | |||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache | |||
</pre> | |||
==== Depreciated ==== | |||
<pre> | |||
smtpd_tls_cert_file = /etc/ssl/certs/mail.edgarbv.com.crt | |||
smtpd_tls_key_file = /etc/ssl/private/mail.edgarbv.com.key | |||
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem | |||
</pre> | |||
== Security for sasl and TLS == | |||
NB Default policy is: | |||
<pre> | |||
smtp_sasl_security_options = noplaintext, noanonymous | |||
</pre> | |||
So that shouldn't have to be changed to | |||
<pre> | |||
smtp_sasl_security_options = noanonymous | |||
</pre> | |||
Unless the remote server only offers plaintext authentication. | |||
The same goes for TLS, where default is | |||
<pre> | |||
smtp_sasl_tls_security_options = $smtp_sasl_security_options | |||
</pre> | |||
This could be changed to something like: | |||
<pre> | |||
smtp_sasl_security_options = noanonymous, noplaintext | |||
smtp_sasl_tls_security_options = noanonymous | |||
</pre> | |||
== using the submission port (587) == | |||
NB no whitespace around the '=' sign! | |||
/etc/postfix/master.cf | |||
<pre> | |||
submission inet n - - - - smtpd | |||
-o syslog_name=postfix/submission | |||
-o smtpd_etrn_restrictions=reject | |||
-o smtpd_enforce_tls=yes | |||
-o smtpd_sasl_auth_enable=yes | |||
</pre> | |||
Ensure the port is open in shorewall as well :) | |||
Options to look at: | |||
<pre> | |||
-o smtpd_tls_security_level=encrypt | |||
-o smtpd_sasl_security_options=noanonymous | |||
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual | |||
</pre> | |||
== using SSL with the ssmtp / smtps port (465) == | |||
/etc/postfix/master.cf | |||
<pre> | |||
smtps inet n - - - - smtpd | |||
-o syslog_name=postfix/smtps | |||
-o smtpd_etrn_restrictions=reject | |||
-o smtpd_tls_wrappermode=yes | |||
-o smtpd_sasl_auth_enable=yes | |||
</pre> | |||
Ensure the port is open in shorewall as well :) | |||
== Testing == | |||
After a postfix restart you can telnet to the open ports, issue an ehlo and you should see '''AUTH''' in the list. Once for compliant and once for brokenclients | |||
<pre> | |||
telnet localhost 25 | |||
Trying 127.0.0.1... | |||
Connected to edgarinet.localdomain. | |||
Escape character is '^]'. | |||
220 edgarinet.edgarbv.com ESMTP Postfix (Debian/GNU) | |||
ehlo edgarbv.com | |||
250-edgarinet.edgarbv.com | |||
250-PIPELINING | |||
250-SIZE 15000000 | |||
250-ETRN | |||
250-STARTTLS | |||
'''250-AUTH PLAIN LOGIN | |||
250-AUTH=PLAIN LOGIN''' | |||
250-ENHANCEDSTATUSCODES | |||
250-8BITMIME | |||
250 DSN | |||
</pre> | |||
If you don't see the '''AUTH''' in the list when connecting to port 587, There may be a problem with the certificate files. You can try putting the pem and key files are in the /etc/postfix directory somewhere. It doesn't always like it if they are in /etc/ssl/... somewhere but then it doesn't always like it if they are in the postfix dir either :S | |||
You can check if the server is running properly as an SSL server with | |||
<pre> | |||
openssl verify -purpose sslserver /etc/ssl/certs/ssl-cert-snakeoil.pem | |||
</pre> | |||
You can check if SASL is running with | |||
<pre> | |||
testsaslauthd -u razor -p "password" | |||
</pre> | |||
Increase logging with | |||
<pre> | |||
smtpd_tls_loglevel = 2 | |||
</pre> | |||
in main.cf | |||
== setting up for dovecot == | |||
An alternative idea is you set up dovecot to accept authentication through SASL and then pipe postfix through it to let it authenticate. | |||
http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL | |||
You can test it as explained in these pages: | |||
http://www.anchor.com.au/hosting/dedicated/Postfix-SASL-setup | |||
http://www.adomas.org/2006/08/postfix-dovecot/ | |||
= Useful info = | = Useful info = | ||
Line 349: | Line 671: | ||
/var/log/mail/mail.log { | /var/log/mail/mail.log { | ||
prerotate | prerotate | ||
/opt/ | /opt/myhost/statisticsmyhostmail.sh | ||
endscript | endscript | ||
daily | daily |
Latest revision as of 13:24, 16 May 2019
Installing Postfix
Changes for a new install on Debian in /etc/postfix:
touch relay-domains touch virtual touch virtual-domains touch transport touch aliases touch sender_whitelist postmap aliases postmap virtual postmap transport postmap sender_whitelist
This goes in some of the files:
/etc/postfix/virtual
# In order to translate any mailbox address from one domain to a mapped user on another domain add the following entries: # account1@olddomain.ext account1 # account2@olddomain.ext account2 # newdomain.ext DOMAIN # @newdomain.ext @olddomain.ext # this will ensure that account1@olddomain.ext AND account1@newdomain.ext is delivered to account1 and account2@[newdomain or olddomain].ext goes to account2 # After changing this file run # postmap virtual # Catchalls are set up with # @domain.ext userid
/etc/postfix/virtual-domains
# This file contains the domains for which postfix will accept email # It's not a hash file, so no need to run postmap on it.
/etc/postfix/transport
# This is the list of domains we will transport mail for over smtp, using different protocols. # This is a hashfile, so postmap transport after editing.
/etc/postfix/sender_whitelist
# don't forget to postmap sender_whitelist after editing, as it's a hash file # we are a relay for this host domoticz.edgarbv.int OK
Make sure the following is appended to mynetworks in main.cf
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24, 212.61.33.42/32, 31.160.12.64/29, 188.204.140.192/27, 217.81.192.88/32
'On the machine sending mail from the home network Also, because this machine is relaying from my home network (because port 25 traffic is blocked by my ISP), change in main.cf
relayhost = MY.IP.ADDRESS:587
(it was empty)
These are the /etc/postfix/main.cf edits
# My edits # Prevent backscatter local_recipient_maps = proxy:unix:passwd.byname $alias_maps unverified_recipient_reject_code = 550 unverified_sender_reject_code = 550 message_size_limit = 15000000 # Add virtual accounts and all the domains into these two files virtual_alias_maps = hash:/etc/postfix/virtual virtual_alias_domains = /etc/postfix/virtual-domains # To make aliases add them to these files alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases virtual_mailbox_base = /var/spool/mail # Anti Spam measures (note the order is important!) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org, reject_rbl_client bl.spamcop.net, permit smtpd_helo_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_whitelist, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_whitelist, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_data_restrictions = reject_unauth_pipelining, permit # This is the new style for after 2.10. Debian still has 2.9. They then get removed from smtpd_recipient_restrictions #smtpd_relay_restrictions = permit_mynetworks, # permit_sasl_authenticated, # reject_unauth_destination, # permit smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_whitelist, reject_unauth_destination, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unverified_recipient, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_non_fqdn_hostname, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit smtpd_recipient_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_whitelist, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unverified_recipient, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_non_fqdn_hostname, reject_unauth_pipelining, # spamhaus is only for non-commercial / low volume use reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit # you can test the above lines by putting warn_if_reject before a rule, eg "warn_if_reject reject_non_fqdn_hostname,", which puts up a warning in the logfiles, but allows the mail to go through anyway smtpd_helo_required = yes disable_vrfy_command = yes default_process_limit = 100 # This is what postfix will act as an SMTP server for relay_domains = /etc/postfix/relay-domains # For delayed delivery using etrn defer_transports = etrn-only fast_flush_domains = $relay_domains smtpd_etrn_restrictions = permit_mynetworks, reject # This is all added for Mailman transport_maps = hash:/etc/postfix/transport mailman_destination_recipient_limit = 1 # This is for maildir delivery home_mailbox = Maildir/
Some of the documentation on Maildir sets
mailbox_command =
But we're going to configure procmail to deliver to mailbox later, so we keep it as such:
mailbox_command = procmail -a "$EXTENSION"
Check configuration
postconf -n or postconf -d
get rid of the postfix pop daemon
apt-get install dovecot-popa3d (for maildir support)
procmail
Change procmail to maildir delivery. Create /etc/procmailrc
LOGFILE=/var/log/mail/procmail LOGABSTRACT=all VERBOSE=off LOG=$date DEFAULT="$HOME/Maildir/" MAILDIR="$HOME/Maildir/"
Create everything
mkdir /var/log/mail/ touch /var/log/mail/procmail
Old procmail (non maildir)
vi /etc/procmailrc
#Procmailrc modified by RazoR # MAILDIR=/var/spool/mail LOGFILE=/var/log/mail/procmail LOGABSTRACT=all VERBOSE=off LOG=$date
Create everything
mkdir /var/log/mail/ touch /var/log/mail/procmail
If you mount your mail (mbox format)
ln -s /home/spool/mail/ /var/mail
rsyslog and logrotation
Edit /etc/logrotate.d/rsyslog to add /var/log/mail/procmail to it
edit the mail lines in /etc/rsyslog.conf to go to /var/log/mail/ something like:
mail.info -/var/log/mail/mail.info mail.warn -/var/log/mail/mail.warn mail.err /var/log/mail/mail.err
mv /var/log/mail.* /var/log/mail/ service rsyslog restart
In /etc/logrotate.d/rsyslog (nb. because we have moved mail logs to /var/log/mail from /var/log)
/var/log/syslog { rotate 7 daily missingok notifempty delaycompress compress postrotate invoke-rc.d rsyslog reload > /dev/null endscript } /var/log/daemon.log /var/log/kern.log /var/log/auth.log /var/log/user.log /var/log/lpr.log /var/log/cron.log /var/log/debug /var/log/messages /var/log/mail/mail.info /var/log/mail/mail.warn /var/log/mail/mail.err /var/log/mail/mail.log /var/log/mail/popa3d.log /var/log/mail/spamd.log /var/log/mail/procmail { sharedscripts prerotate /opt/myhost/statisticsmyhostmail.sh endscript rotate 7 daily missingok # notifempty compress delaycompress create 640 root adm sharedscripts postrotate /etc/init.d/rsyslog restart endscript }
If still using popa3d
touch /var/log/mail/popa3d.log
FOR OLD SYSLOG BEHAVIOUR
!popa3d *.* /var/log/mail/popa3d.log
FOR RSYSLOG
in /etc/rsyslog.d/popa3d.conf if $programname == 'popa3d' and $syslogseverity <= '6' then /var/log/mail/popa3d.log if $programname == 'popa3d' and $syslogseverity <= '6' then ~
Mutt
Use Mutt to open a maildir:
mutt -m maildir -f ~/Maildir
Set Mutt to read maildir. Edit /etc/Muttrc
set folder="~/Maildir" set mask="!^\\.[^.]" set mbox="~/Maildir" set record="+.Sent" set postponed="+.Drafts" set spoolfile="~/Maildir"
Authentication with sasl
This uses saslauthd as an authentication layer between pam and postfix smtpd services to check if the user is allowed to log in. There are methods to use dovecot as an authentication layer too, but I haven't gotten that to work.
This one works so far:
http://wiki.debian.org/PostfixAndSASL with more info at http://www.postfix.org/SASL_README.html
Install libsasl2-modules, postfix, postfix-tls, sasl2-bin
/etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd mech_list: PLAIN LOGIN
/etc/default/saslauthd
START=yes
adduser postfix sasl
/etc/fstab
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind bind 0 0
cd /var/spool/postfix mkdir -p var/run/saslauthd mount /var/spool/postfix/var/run/saslauthd
/etc/postfix/main.cf
smtpd_sasl_local_domain = $myhostname smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes
also make sure that smtpd_recipient_restrictions includes
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
TLS
TLS is an encryption layer that runs on the submission port (587) waiting for people to log in. Make sure the firewall opens this port on UDP / TCP
First you need to generate the key files for the fully qualified mailname / myhostname / hostname of the machine. You can have multiple key files, but only one per IP adress.
Generating the certificate files
Get the certificate from Lets Encrypt
certbot certonly -d mail.edgarbv.com
choose apache.
Depreciated
When filling in common name (CN) Always fill in your domain eg mail.edgarbv.com Generate a private key
openssl genrsa -des3 -out mail.edgarbv.com.key 2048
Create a certificate request
openssl req -new -key mail.edgarbv.com.key -out mail.edgarbv.com.csr
Self sign the key
openssl x509 -req -days 365 -in mail.edgarbv.com.csr -signkey mail.edgarbv.com.key -out mail.edgarbv.com.crt
remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix):
openssl rsa -in mail.edgarbv.com.key -out mail.edgarbv.com.key.nopasscp mail.domain.tld.key mail.edgarbv.com.key.pass mv mail.domain.tld.key.nopass mail.edgarbv.com.key
Make ourself a trusted CA:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Copy the files into a proper location:
chmod 600 mail.edgarbv.com.key chmod 600 cakey.pem mv mail.edgarbv.com.key /etc/ssl/private/ mv mail.edgarbv.com.crt /etc/ssl/certs/ mv cakey.pem /etc/ssl/private/ mv cacert.pem /etc/ssl/certs/
/etc/postfix/main.cf
# TLS parameters smtpd_tls_cert_file = /etc/letsencrypt/live/mail.edgarbv.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.edgarbv.com/privkey.pem smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Depreciated
smtpd_tls_cert_file = /etc/ssl/certs/mail.edgarbv.com.crt smtpd_tls_key_file = /etc/ssl/private/mail.edgarbv.com.key smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
Security for sasl and TLS
NB Default policy is:
smtp_sasl_security_options = noplaintext, noanonymous
So that shouldn't have to be changed to
smtp_sasl_security_options = noanonymous
Unless the remote server only offers plaintext authentication.
The same goes for TLS, where default is
smtp_sasl_tls_security_options = $smtp_sasl_security_options
This could be changed to something like:
smtp_sasl_security_options = noanonymous, noplaintext smtp_sasl_tls_security_options = noanonymous
using the submission port (587)
NB no whitespace around the '=' sign!
/etc/postfix/master.cf
submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
Ensure the port is open in shorewall as well :)
Options to look at:
-o smtpd_tls_security_level=encrypt -o smtpd_sasl_security_options=noanonymous -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
using SSL with the ssmtp / smtps port (465)
/etc/postfix/master.cf
smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_etrn_restrictions=reject -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
Ensure the port is open in shorewall as well :)
Testing
After a postfix restart you can telnet to the open ports, issue an ehlo and you should see AUTH in the list. Once for compliant and once for brokenclients
telnet localhost 25 Trying 127.0.0.1... Connected to edgarinet.localdomain. Escape character is '^]'. 220 edgarinet.edgarbv.com ESMTP Postfix (Debian/GNU) ehlo edgarbv.com 250-edgarinet.edgarbv.com 250-PIPELINING 250-SIZE 15000000 250-ETRN 250-STARTTLS '''250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN''' 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
If you don't see the AUTH in the list when connecting to port 587, There may be a problem with the certificate files. You can try putting the pem and key files are in the /etc/postfix directory somewhere. It doesn't always like it if they are in /etc/ssl/... somewhere but then it doesn't always like it if they are in the postfix dir either :S
You can check if the server is running properly as an SSL server with
openssl verify -purpose sslserver /etc/ssl/certs/ssl-cert-snakeoil.pem
You can check if SASL is running with
testsaslauthd -u razor -p "password"
Increase logging with
smtpd_tls_loglevel = 2
in main.cf
setting up for dovecot
An alternative idea is you set up dovecot to accept authentication through SASL and then pipe postfix through it to let it authenticate.
http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
You can test it as explained in these pages:
http://www.anchor.com.au/hosting/dedicated/Postfix-SASL-setup
http://www.adomas.org/2006/08/postfix-dovecot/
Useful info
accept for primary MX if it goes down
To accept messages in the mailqueue and defer them untill the primary MX server is up again, add the domain.ext to /etc/postfix/relay-domains and in transport add
domain.ext etrn-only:
The mail will then be delivered when sendmail -q is sent, or when
telnet mailserver 25, helo originating.domain etrn defermaildomain.ext
mails get defered - you can see them in mailq
also in /var/spool/postfix/flush/
postfix reload reloads the config
Squirrelmail and IMAP
for how to set up squirrelmail and cyrus for IMAP with postfix [Webmail_Squirrelmail_for_Debian]
force the queue delivery
postqueue -f
or deliver a specific message by
postsuper -r queue_id
Queue management
See the queue structure
qshape
you can see the active / incoming / deferred / hold queues by doing
qshape deferred
you may have to wait a bit for the output though.
To kill all deferred messages in the queue you can use
postsuper -d ALL deferred
An example from [4]
Example 5-1. Perl script to delete queued messages by email address #!/usr/bin/perl -w # # pfdel - deletes message containing specified address from # Postfix queue. Matches either sender or recipient address. # # Usage: pfdel <email_address> # use strict; # Change these paths if necessary. my $LISTQ = "/usr/sbin/postqueue -p"; my $POSTSUPER = "/usr/sbin/postsuper"; my $email_addr = ""; my $qid = ""; my $euid = $>; if ( @ARGV != 1 ) { die "Usage: pfdel <email_address>\n"; } else { $email_addr = $ARGV[0]; } if ( $euid != 0 ) { die "You must be root to delete queue files.\n"; } open(QUEUE, "$LISTQ |") || die "Can't get pipe to $LISTQ: $!\n"; my $entry = <QUEUE>; # skip single header line $/ = ""; # Rest of queue entries print on # multiple lines. while ( $entry = <QUEUE> ) { if ( $entry =~ / $email_addr$/m ) { ($qid) = split(/\s+/, $entry, 2); $qid =~ s/[\*\!]//; next unless ($qid); # # Execute postsuper -d with the queue id. # postsuper provides feedback when it deletes # messages. Let its output go through. # if ( system($POSTSUPER, "-d", $qid) != 0 ) { # If postsuper has a problem, bail. die "Error executing $POSTSUPER: error " . "code " . ($?/256) . "\n"; } } } close(QUEUE); if (! $qid ) { die "No messages with the address <$email_addr> " . "found in queue.\n"; } exit 0;
Postgrey is a greylister that rejects email from a server on the first try, using the fact that most spammers do not retry to send their email, whereas almost all normal mail servers do.
Old info
Old pop daemon
apt-get install popa3d
/etc/logrotate.d/postfix:
/var/log/mail/mail.log { prerotate /opt/myhost/statisticsmyhostmail.sh endscript daily missingok rotate 7 compress delaycompress notifempty create 640 root adm } /var/log/mail/popa3d.log /var/log/mail/mail.err /var/log/mail/mail.info /var/log/mail/mail.warn { daily missingok rotate 7 compress delaycompress notifempty create 640 root adm }